Configuring email ownership verification options - PingFederate - 10.3

PingFederate Server

bundle
pingfederate-103
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.3
category
Product
pf-103
pingfederate
ContentType_ce

Based on your customer IAM use cases, you can optionally offer users the opportunity to confirm the ownership of the email address associated with their accounts. This configuration can be configured on a per-local identity profile basis.

Using the administrative console, configure the email ownership verifications settings for a local identity profile.

When you enable these settings, PingFederate generates a notification message for email ownership verification as the user submits the registration request. The email-verification message is valid for a configurable amount of time, 24 hours by default. If the user cannot find the previously sent message, the user can request another one by accessing the email ownership verification endpoint. Moreover, if profile management is enabled, the profile management page displays a reminder until the user verifies the associated email address as well. Like other local identity fields, the email verification status is stored in the directory and can be relayed to the applicable target applications through identity provider (IdP) authentication policies.

  1. Go to Authentication > Policies > Local Identity Profiles.
  2. On the Email Verification tab, select the Enable Email Ownership Verification check box to offer users the opportunity to verify the email address associated with their accounts.

    The Email Verification tab appears only when you select the Enable Registration check box or the Enable Profile Management check box on the Profile Info tab.

    The Enable Email Ownership Verificationcheck box is not selected by default.

    Note:

    The rest of the steps apply only if you select to enable email ownership verification.

  3. In the Email Address Field list, select a field.

    The field value represents the recipient of the verification message.

    Only fields that use the Email or Text input control are eligible and shown.

  4. In the Ownership Status Field list, select a field.

    The field value represents the email ownership verification status. PingFederate sets the value to false in the directory when it receives a new or an updated email address from the user. After the user verifies the email ownership, PingFederate sets the value to true.

    Only fields that use the Hidden input control are eligible and shown.

  5. To modify the longevity of the link in the email-verification message, update the One-Time Link Lifetime field.

    The default value is 1440 in minutes, 24 hours.

  6. Optional: To use different template files for various events, update the applicable template fields.
    Note:

    These templates are only applicable when using an SMTP Notification Publisher instance to deliver email-verification messages.

    The following table shows the default template fields and their corresponding values.

    Template field Default value
    Email Template message-template-email-ownership-verification.html
    Sent Template local.identity.email.verification.sent.html
    Success Template local.identity.email.verification.success.html
    Error Template local.identity.email.verification.error.html
    Note:

    You can find the email template file in the <pf_install>/pingfederate/server/default/conf/template/mail-notifications directory and the other templates in the template directory.

  7. In the Notification Publisher list, select an instance.

    If you haven't yet configured the desired notification publisher instance, click Manage Notification Publishers.

  8. Optional: To require users to verify their email address before they can access any connected applications, select the Require Verified Email check box and specify a template in the Require Verified Email Template field.

    When enabled, users can sign on to their local identity profile and manage their account but PingFederate blocks them from accessing any connected applications until they have successfully verified their email address.

    Note:

    The Require Verified Email Template field appears only when you select the Require Verified Email check box.

    By default, the Require Verified Email Template value is local.identity.email.verification.required.html and provides options to Resend the verification email, Continue, or Cancel.

    Tip:

    To add a Manage Profile option, select the Enable Profile Management check box as described in step 4 of Configuring local identity profile information.

    Screen capture of the Local Identity Profile configuration window with the Email Verification tab clicked. There are fields for Enable Email Ownership Verification, Email Address Field, Ownership Status Field, One-Time Link Lifetime, Email Template Sent Template, Success Template, Error Template, Notification Publisher, Require Verified Email, Require Verified Email Template. The Require Verified Email check box is selected and the Required Verified Email Template has the default value entry. Both of these fields are highlighted in the screen capture.
  9. Click Next.